Sure, but most users probably don't actually want this level of defense.

For the same reason that most folks don't use bank vault doors on their house.

Ex - even reasonably technical people hit this footgun in lots of edge cases... like updating their bios, changing the host of a vm running the tool, or having a k8s pod get scheduled on a different node.

I'm surprised this was "default on" at all.

Yes, but it turns out the TPM gets reset quite often on shitty hardware.